2
The Bottom Line Cyber Risks are Increasing State and Local Government Organizations are targets and are not well defended – Traditional defenses are no longer effective – Probability of successful attack increasing – IT security is not well managed at the enterprise level – Workstations are the frontline, they are not well defended – IT Security mistakes are happening too often – We have too much old insecure technology in use 2

3
Why is This Happening? You have things the bad people want – Money – Information that is worth money – You have things that can be damaged to make a political statement Because it is easy to attack you – Too much information in the public – Your IT environment is not well defended – Our people are not well trained in this topic – The Bad Guys are Good – We do not have an effective defense – We are not good at detecting and responding to attack – We have a lot of outdated technology that needs replaced 3

6
The State Has Had Issues Too Department of Revenue – 1/15/2013 USB Drive with Virus No Data Breach Department of Enterprise Services - 2/12/2013 User went to infected web site No Data Breach Administrator of the Courts – 5/9/2013 Web Site Hacked Data Breach - 1 Million WDL and 160K SSN’s 6

8
How Attackers are Succeeding Advanced Persistent Attack (APT) Approach is working because: – People are taken by Phishing Email – Workstations are vulnerable Elevated User Permissions Poor security maintenance practices for patching and current end-point defensive systems – Network defense is not well done Bad guys are good - Malware detects defense and morphs Complacent Leaders - People don’t believe it “will happen to them” Government IT is not fully staffed or funded 8

10
It is easy to attack you, you are not well defended 79% of victims were targets of opportunity 96% of attacks were not highly difficult 94% of all data was compromised from servers 85% of breaches took 2 weeks or more to detect 92% were discovered by a third party 97% of breaches were avoidable through simple or intermediate controls 96% of victims subject to PCI-DSS had not achieved compliance US Secret Service Banking Data 10 Source: 2012 Verizon Data Breach Investigation Report: 2012 Verizon Data Breach Investigation Report 2013 Verizon Data Breach Investigation Report

12
So What? Why Do I Care? You only care if: – You have large amounts of money in online managed bank accounts – You have large amounts of protected data in your computing environment – The availability and integrity of your systems is important to your customers 12

13
Approach to the Problem Choices for dealing with Risk – Eliminate the Risk (Mitigation) – Plan to do something if the Risk happens (Response) – Transfer the Risk (Insurance) – Accept the Risk 13

14
Risk Manager Action Plan Partner with IT leadership – You can’t do this alone and neither can they – Then: 1.Measure your risk Do you know what protected data you have? Do you know how well your IT Dept. is doing? Has IT perform vulnerability assessments Does IT have an incident detection & response plan 2.Implement Secure On-Line Banking 3.Adopt a standard for IT Security - Recommend the SANS 20 Critical Controls as a Framework. SANS 20 Critical Controls 4.Eliminate Old Risky Technology 14

20
Action Item No. 4 Eliminate Obsolete Technology Old Technology Causes Elevated Risk – Old Versions of Windows Operating Systems – Old Software that requires Administrator Privilege to run – Old firewall technology that only does one thing – Old anti-virus software that is not effective 20

21
Example - Windows XP Windows XP should go away – 34% of Installed Desktops No longer supported by Microsoft after April 2014 21 times more likely to be successfully attacked than Windows 8 21 Netmarketshare.com August 2013

22
How Much Will It Cost? It will cost more if you have a Fraud or Data Security Breach incident than it will to fix the problems 22

23
Next Steps to Solve this Business Problem 1.Partner with your IT Manger to quantify your Cyber Risks and fix the problems 2.Assess the quality of your defense Use SANS 20 as a risk assessment Baseline – Be Realistic Perform Vulnerability Scanning to Measure Do you have old technology that should be replaced? 3.Help IT Prioritize what is needed 4.Become the champion to senior leadership Help them see the business risk Help find loss prevention funding to reduce Cyber Liability Risk 5.Hold IT accountable for a good defense, detection, and response 23